[Security] Specify the list of accepted algorithms in jwt.decode() ca…

…lls to mitigate https://nvd.nist.gov/vuln/detail/CVE-2024-33663. We specify the accepted algorithms to be [RS256] as suggested by Amazon Cognito.
aws · Jul 22, 2024 · 67599f8 · 67599f8
1 parent 8e6798d
commit 67599f8
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/api/PclusterApiHandler.py b/api/PclusterApiHandler.py
@@ -62,8 +62,11 @@
     JWKS_URL = os.getenv("JWKS_URL",
                          f"https://cognito-idp.{REGION}.amazonaws.com/{USER_POOL_ID}/" ".well-known/jwks.json")
 
+
 def jwt_decode(token, audience=None, access_token=None):
-    return jwt.decode(token, requests.get(JWKS_URL).json(), audience=audience, access_token=access_token)
+    return jwt.decode(
+        token, requests.get(JWKS_URL).json(), audience=audience, access_token=access_token, algorithms=["RS256"]
+    )
 
 
 def setup_api_credentials(role_arn, credential_external_id=None):